b"QUALITY CONTROL REVIEW OF CONTROLS\nOVER THE ENTERPRISE SERVICES CENTER\n         Department of Transportation\n\n         Report Number: QC-2011-001\n         Date Issued: October 5, 2010\n\x0c           U.S. Department of\n                                                                Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Quality Control Review of Controls                                Date:    October 5, 2010\n           Over the Enterprise Services Center,\n           Department of Transportation\n           Report No. QC-2011-001\n\n  From:    Earl C. Hedges                                                         Reply to\n                                                                                  Attn. of:   JA-20\n           Acting Assistant Inspector General for Financial\n            and Information Technology Audits\n\n    To:    Assistant Secretary for Budget and Programs/\n            Chief Financial Officer\n\n           This report summarizes the results of our annual review of general, application,\n           and operational controls over the Department of Transportation's (DOT)\n           Enterprise Services Center (ESC). As a Federal service provider, the ESC\n           provides financial management support services to Federal agencies, including\n           accounting, financial management, systems and implementation support services,\n           customer services, and telecommunications and data center services. In addition\n           to DOT, the Center supports the National Endowment for the Arts, the Institute of\n           Museum and Library Services, the Commodity Futures Trading Commission,\n           Consumer Products Safety Commission, National Credit Union Administration,\n           and the Government Accountability Office. It is staffed by Federal Aviation\n           Administration (FAA) employees at the Mike Monroney Aeronautical Center in\n           Oklahoma City, under the direction of DOT's Chief Financial Officer.\n\n           The Office of Management and Budget (OMB) requires Federal service providers\n           either to (1) provide their user organizations with independent audit reports on the\n           design and effectiveness of internal controls, or (2) allow user auditors to perform\n           tests of controls at the service organizations. 1 This audit covered both the Delphi\n           Financial Management System 2 and the Consolidated Automation System for\n           Time and Labor Entry (CASTLE) hosted at the ESC. CASTLE is used to support\n           DOT operations only.\n\n\n           1\n            OMB Memorandum M-08-24\n           2\n            The Delphi system includes ESC PRISM, a federal acquisition system.\n\x0c                                                                                  2\n\n\nClifton Gunderson, LLP, of Calverton Maryland, completed this audit under\ncontract to the Office of Inspector General (OIG). OIG staff performed a quality\ncontrol review of the firm's audit work to ensure that it complied with generally\naccepted government auditing standards and the American Institute of Certified\nPublic Accountants' Statement on Auditing Standards-70 (SAS-70). SAS-70\nrequires auditors to determine whether or not service organizations: (1) fairly\ndescribed their controls; (2) suitably designed the controls; and (3) effectively\nimplemented the controls. Our review disclosed no instances in which Clifton\nGunderson did not comply in all material respects with applicable auditing\nstandards.\n\nClifton Gunderson concluded that ESC described its controls fairly in all material\nrespects, and that the controls were suitably designed to meet stated control\nobjectives. Clifton Gunderson also found that the tested controls operated with\nsufficient effectiveness to provide reasonable, but not absolute, assurance that the\ncontrol objectives specified by management were achieved from October 1, 2009\nthrough June 30, 2010. However, the firm also found that ESC's configuration\nmanagement controls did not operate effectively and impacted the Center's access\ncontrols. Specifically, the Delphi system operated on a database for which the\nvendor stopped providing security updates in February 2009. Furthermore, ESC\ndid not apply in a timely manner critical security updates that the vendor had\nprovided, and did not assess the system for vulnerabilities and risks associated\nwith the vulnerabilities. Clifton Gunderson's recommendations to correct these and\nother control deficiencies appear in the Exhibit to this report.\n\nIn his September 29, 2010, response to OIG, the Deputy Chief Financial Officer\nconcurred with the recommendations and committed to implementing corrective\nactions (see the Appendix in this report).\n\nIn accordance with DOT Order 8000.1C, the corrective actions taken in response\nto Clifton Gunderson's recommendations are subject to follow-up. Clifton\nGunderson performed additional testing and provided a follow-up management\nletter to OIG dated September 30, 2010, reporting no significant changes to the\ncontrol environment between July 1 and September 30, 2010. Clifton Gunderson's\nfollow-up letter did not include any further corrective actions.\n\nWe appreciate the courtesies and cooperation of Department of Transportation\nrepresentatives during this audit. If you have any questions concerning this report,\nplease call me at (410) 962-1729 or Nathan Custer, Program Director, at (202)\n366-5540.\n\x0c                                                                3\n\n\nAttachments\n\n                                       #\n\n\ncc: Chief Information Officer, DOT\n    Deputy Chief Financial Officer, DOT\n    Assistant Administrator for Financial Services/CFO, FAA\n    Assistant Administrator for Information Services/CIO, FAA\n    Assistant Administrator for Region/Center Operations, FAA\n    Director, Mike Monroney Aeronautical Center, FAA\n    Martin Gertel, M-1\n    Anthony Williams, AAE-001\n\x0c                                                                               4\n\n\n\n\nEXHIBIT. RECOMMENDATIONS OF CLIFTON GUNDERSON, LLP,\nINDEPENDENT AUDITOR\nClifton Gunderson LLP made the following recommendations during its review of\ngeneral, application, and operational controls over the DOT ESC in fiscal year\n2010. OIG agrees that DOT management should implement the following actions\nto enhance ESC controls.\n\n                          Configuration Management\n     Promptly upgrade Delphi's operating system platform to an Oracle certified\n 1\n     operating system.\n 2   Apply software security patch releases on a timely basis.\n     Ensure the system's authorizing official is promptly informed and a risk\n     acceptance is received for any critical or high vulnerabilities that are not\n 3   addressed. If the risk acceptance lapses, or the situation changes, the\n     authorizing official should renew the acceptance of the risk. Closed in\n     follow-up.\n     Follow Federal and Department guidance in applying critical patch updates\n 4\n     on the required timelines.\n                                Access Controls\n     Implement effective authentication and authorization controls for the audit\n 5\n     log server. Closed in follow-up.\n     Implement proper mechanisms to track all contractors who separate from\n 6\n     the ESC. Closed in follow-up.\n     Enforce contract clause requiring contractors to communicate in a timely\n 7\n     manner all terminated employees. Closed in follow-up.\n                             Security Management\n     Ensure the CASTLE information system security plan is updated to reflect\n 8   current operating procedures and any changes made are reviewed in a timely\n     manner. Closed in follow-up.\n\n\n\n\nExhibit. Recommendations of Clifton Gunderson, LLP, Independent\nAuditor\n\x0c                                                                                         5\n\n\n\n\nAPPENDIX. MANAGEMENT COMMENTS\n\n\n\n\n                              September 29, 2010\n\n\nMEMORANDUM TO:                Earl Hedges\n                              Acting Assistant Inspector General\n                              for Financial and Information Technology Audits\n\nFROM:                         David J. Rivait\n                              Office of the Assistant Secretary for Budget and\n                              Programs/Deputy Chief Financial Officer\n\nSUBJECT:                      Management Response to the SAS 70 Audit of ESC\xe2\x80\x99s\n                              Services Information Security Controls\n\n\nThe Department provides diligent oversight as it works to ensure the quality, accuracy,\nand integrity of the services provided by the Enterprises Services Center (ESC). The\nOffice of Inspector General\xe2\x80\x99s (OIG) annual SAS 70 audit is as administered this year by\nits contractor, Clifton Gunderson (CG) is integral to these efforts. Once again this year\nthe audit offers considerable insights and fresh perspectives that enable us to further\nimprove our already strong management and controls over financial systems in this ever-\nchanging cyber security environment.\n\nCG issued a qualified opinion on the SAS-70 audit stating that the Delphi database was\nunsupported; however, upon further detailed review, we have determined that the\nsoftware remains supported by Oracle and will continue to be until we move the system\nto an updated version of the software. Subsequent to CG\xe2\x80\x99s report, we provided the OIG\nwith detailed documentation including statements by Oracle regarding system support\nand our analysis. That analysis determined the Delphi environment is fully supported by\nOracle and has never been in a non-support status. This conclusion was confirmed\nthrough our discussions with, and documentation provided by Oracle. The current Delphi\nprocess of mitigating user and system controls will continue to address any vulnerabilities\nincluding unauthorized database access, service disruption, data loss or manipulation. As\na result, while the Department is planning to upgrade Delphi\xe2\x80\x99s operating system, the\nexisting operating system will continue to be supported through the upgrade. We will\ncontinue working through this issue with the OIG to convey a full appreciation of the\nissues, the status of ongoing operations and our plans moving forward.\n\n\n\n\nAppendix. Management Comment s\n\x0c                                                                                        6\n\n\nThe Department concurs with CG\xe2\x80\x99s other recommendations and has identified corrective\nactions to remediate the findings. Consistent with past practices, ESC has worked with\nthe auditors throughout this year\xe2\x80\x99s SAS 70 audit to identify and schedule corrective\nactions as audit findings are documented, to ensure swift and appropriate management\naction. These corrective action plans will be forwarded to you under separate cover prior\nto October 1, 2010.\n\nAs a Federal Shared Service Provider (FSSP) designated by the Office of Management\nand Budget (OMB) to provide a state-of-the-art financial system and quality accounting\nservices to other Federal agencies, ESC has demonstrated its strong commitment to\nensuring that it\xe2\x80\x99s Financial Management Services meet or exceed all information security\nrequirements.\n\nThank you for your continuing support and assistance in this effort.\n\n\n\ncc:\nMaria Dowds, Joann Adam, Laurie Park, Wendy Calvin, Marshal Gimpel, Mike Upton,\nKeith Burlison, Bo Peeler, Steve Aube, Janet Shell, Nina Boyle, Kent Mitchell\n\n\n\n\nAppendix. Management Comment s\n\x0c"